[strongSwan] Ubuntu CLI client works Network Manager fails

Alex Sharaz alex.sharaz at york.ac.uk
Fri Dec 1 17:05:41 CET 2017

or I could install freeradius on the strongswan server and let it handle
the eap side of things and then there is a virtual server that proxies off
the inner tunnel stuff to another server for authentication. That way the
radius server uses the strongswan server cert  so we don't have this

Would be better than changing code and sswan config still uses eap-radius
but points to itself

On 1 December 2017 at 15:21, Alex Sharaz <alex.sharaz at york.ac.uk> wrote:

> o.k lots of options ...
> Think I need the charon-nm for our Ubuntu network manager users .. keeps
> it simple
> Think Il'l try patching charon-nm first
> Thanks
> A
> On 1 December 2017 at 14:34, Tobias Brunner <tobias at strongswan.org> wrote:
>> Hi Alex,
>> > so you're saying that my radius server also needs to have
>> vpn.york.ac.uk
>> > as a SubjAltName in it as well ?
>> Yes, that's one option.  Not using the NM plugin is another.  With the
>> config files you can set the AAA identity to vpn.york.ac.uk so it
>> matches the certificate (or %any so any identity is accepted, the RADIUS
>> server's certificate just has to be trusted).  You can also patch
>> charon-nm so it sets the AAA identity, or make it even configurable in
>> the GUI.
>> You can also not use EAP-PEAP and just authenticate the clients with
>> EAP-MSCHAPv2/MD5/GTC directly (and if necessary secure the connection
>> between VPN and RADIUS server with IPsec).
>> Regards,
>> Tobias
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171201/e1efc113/attachment.html>

More information about the Users mailing list